     
                                                     
                                                       
               ۰߰     ܰ۰  
             ۱      ܱ߰    ۰
             ۱          ۱      ۰  
                 ܰ߱    ߰۲    
              Outbreak Magazine Issue #14 - Article 3 of 15
          '~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'

How I found my JetDirect and what I did to her when I found her
===============================================================
by ghostmeat 
foodbooktime@hotmail.com
AIM: gh0s7m347

Disclaimer: I'm not responsible for what you do with this information.

This file assumes you know how to use ftp, telnet and understand basic
concepts of internet addressing like IPs and port numbers.

0. Introduction
1. Discourse on JetDirect-nature
2. Print-f00
3. Taking Control
4. Additional Resources 
5. Conclusion

0. Introduction
========

I found out about HP Jetdirect software when my friend showed me these 
interesting FTP servers on our schools LAN. Apparently, whenever we uploaded
a file, one of the printers printed it up. Wow! Thus I began my systematic and 
ruthless(not really) inquiry into the hidden secrets of the Mystical HP Jetdirect 
Anomaly. My conclusions have been that if you have access to a network with 
these on it or find some over the internet, you have the potential to make them 
print no matter where you are, possibly manage them remotely, and generally 
make them do things they aren't supposed to do. In this file I'll tell you how to 
find them and the basic things you can do, but I'll refrain from getting too detailed 
since once you get a printer it's pretty much self-explanatory.


1. Discourse on JetDirect-nature
=================

Of all of the printers I've surveyed, I've found stuff on the following ports:
		
	-21: An ftp server like the one described above. Usually, you don't
	need to enter a username or pass.  
	
	-23: Telnet administration. Requires password, although I have 
	found some that use a default password or none at all.  
	
	-80: HTTP remote adminstration and status 
	
	-280: nmap registers this at http-mgt. Generally, I've found it to be
	no different than the other http ports 
	
	-515: This is the port that the unix printer service (lpd) uses.
	
	-631: Another http port. You can somehow use this for IPP, or internet
	printing, but I'm not sure how this works.
	
	-9100: This is allows one to print whatever is entered - very neat!

Generally, the way to find these is by scanning for port 9100. So if you
wanna scan class A network 'A.x.x.x', then you would run nmap thus so:
	nmap -sS A.*.*.* -p 9100 -oN results.txt Just search the results for
'open' to find the hosts that are vulnerable to your mischief. (;


2. Print-Foo
======

This is an easy way to print out stuff in places you have no business to be
printing at. Especially fun for work or school, where there are different 
printers throughout the building. And best of all, there's no username or
password required! w00t!!@#$!#%^ There are three main ways to do this:
FTP, telnet, or LPR.
With FTP, simply ftp into the IP address of your
target. To login, just press enter twice. It will look something like this:

Connected to 63.67.2.186 (63.67.2.186).
220 JD FTP Server Ready 
Name (1.2.3.4:w00t): 
331 Username Ok, send identity (email address) as password. 
Password:
230- Hewlett-Packard FTP Print Server Version 2.0
Directory:     Description:
-----------------------------------------------------
PORT1          Print to port 1 HP LaserJet 5000 Series

You may also see 'PORT2', 'PORT3', etc. To print out a file, just use 'put
<file> PORT1' and it will print it out! DO NOT, however, send pictures. Instead
of seeing kinky mermaid tentacle sex they'll see 60 pages of meaningless
garbage, and by the time you're trying to send k-rad ascii pr0n the printer
will be out of paper. You could do something like this purposely, though.
If you are in the mood to be a really annoying bastard, send an executable
file! They won't know what hit 'em.  Also, ps (postscript) files can be
sent. These can contain graphic content, but I'm not sure how detailed it can be.
During the ftp session, type 'bin' to go into binary mode, and then upload the 
ps file.

Sometimes FTP isn't enabled for some reason or another. But a much simpler
route is to just telnet into port '9100' and type whatever you want to
print. The printing will start as soon as you disconnect. You have to be
careful, though-  the printer interprets everything verbatim, so if you
fsck up and type a wrong letter, when you press backspace and type over it
the printer will actually display two letters on top of eachother. It would
suck to go through all the trouble of coming up with something clever and
then no one can read it.  PS files work here too, just by redirecting the
output of whatever file you want to use to port 9100 on the target.

To use the LPC service, you need some form of LPR. I'm not going to go
into detail on this, because it's pretty well documented in other places.

3. Taking Control
==============

The Jetdirect allows you to manage it remotely. This means you not only can 
print from it, you can also change it's IP address, it's trusted host list, different
protocols it offers (TCP/IP, Appletalk, and a bunch of stuff I've never heard of),
and lotsa other stuff. Sure, it's not like you're rooting a NASA server, but
at least you can make a sysadmin slam his head into the wall. (you bastard, why
would you want to do that?! ;-) Check the links section for info on passwords.

Telnet management is present on almost every printer I've seen. You can do pretty
much the same thing with telnet as through the java applets, though. The telnet
commands are pretty simple, you just have to type '?' once you connect.

Embedded webservers come in many different flavors, probably depending on the
firmware of the particular JetDirect. I'm pretty sure you know how to access one,
but if you don't all you gotta do is load it up in your favorite browser likeso:
http://<ipaddress>:80. If port 80 doesn't work, 280 or 631 might. Also, I've 
known these to be java-intensive and they require alot of support for that stuff in
your browser. With access to these, there are alot of possibilities. DoS
would be pretty easy (just make the configuration screwy), or one could use
the Jetdirect for network reconnaisance by looking at the configuration, 
trusted hosts, etc.  It's also a good way to verify that you're actually printing
things out, because you can look at the status of the 'Control panel', the
LCD that tells what's going on. 
Here are the one's I've seen (and grepped for Server):


Blue Hewlett-Packard 
	This type can be recognised by a frame on one side with
'Home' and 'Administration' buttons. On the home page,
you'll see information about the printer including firmware, hostname, and
possibly location. The Administration menu loads a java applet with different
tabs for administration functions: 'Status', 'Identity', 'Configuration', 'Security', 
'Diagnostics', and 'Support'. Some of these have administrator passwords set,
but you can look at the configuration and even play around with the options
without having to put it in. When you click the 'submit' button to actually
effect the changes, you'll get a  password then.
Server: HTTP/1.0 (???)

White Hewlett-Packard 
	A less advanced layout, this kind of web server loads
easier and, in my opinion, allows more control. The main page is
a printer with the status, and there are several links on the left-hand
side. At the top, you'll see two buttons, 'Home' and 'Networking'. The
default page is home, and the Networking page is where the administration
menus are at.  If a password is set here, it won't even let you look at the
administration menus before you enter it.
Server: Agranat-EmWeb/R5_2_0

Cannon Fiery-Link 
	This is a really cool thing I found on one particular Jetdirect server. Even
though it appears to be running on a windows box and thus not imbedded, port
9100 was open as well and accepted data sent to it for printing. With the
Fierylink Java Applets, you have the ability to view current print jobs, their logs,
and even view thumbnails of the recent ones! There is a small administration
menu, but it only applies to the webserver and doesn't have anything to do
with the printer itself.  
Server: Apache/1.3.6 (Win32)

I'm sure there are more out there. If you find anything cool, email me!

This isn't the only way you can control a Jetdirect enabled printer. If
you're a sick sado-masochistic control freak, check out the link to PJL
commands in the next section.

4. Additional Resources
====================

HP Display hack: 
	
	http://security-archive.merton.ox.ac.uk/rootshell/0013.html
	(unix version)
	http://sourcesite.geeksatwork.com/cplusplus/files/hpnt_printer_hack.txt
	(win32 port)

Released in '97 by sili from the l0pht. This is a neat hack that uses HP's
PJL language to set the LCD display. If you don't have physical access 
to a printer, you can verify that it actually worked by going to the 
embedded websrerver. I think with a little modification you could do 
stuff like flashing, scrolling, and other cool slideshow type routines
by constantly updating.

PJL Commands: 
	
	http://www.hp.com/cposupport/printers/support_doc/bpl01965.html

Basis of the l0pht's display hack, and you can do other stuff too with
these. There has to be more than what's listed here, so it wouldn't hurt to
do a little experimenting either. (: To figure out how to actually send these,
the 'escape-sequence' it talks about is 0x1B.

DoS Attacks: 
	
	http://packetstormsecurity.org/new-exploits/hp-jetdirect-DoS.txt
	http://packetstormsecurity.org/9911-exploits/jetdirect.crash.txt

Aside from being a good way to piss people off, a DoS attacks on a printer
could be one step in a more complicated attack. For example, if the printer 
was a trusted host for another box on the network, you could make it go 
down and then spoof the IP address through TCP sequence guessing. 

Miscellaneous

	http://www.hp.com/cposupport/networking/support_doc/bpj01014.html
	http://www.hp.com/cposupport/networking/support_doc/bpj02769.html

The first link has a much more complete list of ports, basically making section 1 of
this file completely superfluous. ^^;; The second link has information on 'testing 
connectivity' through different protocols, and includes some default password 
information. There's tons more on Jetdirect at HP's website, http://www.hp.com.
	
	http://www.kb.cert.org/vuls/id/377003

This is a CERT warning about a password vulnerability in the SNMP protocol. I
don't have experience with this personally, but if you really wanna get into
something and it has a password, this could help.

This is by no means a definitive list - just some stuff I found particularly
interesting/helpful.  If you want more information a quick google search on
'Jetdirect' will yield alot of results.


5. Conclusion
=======

If you look at the resources I've provided you'll notice some of them date back
as much as 6 years. This just goes to show you these are _still_ some of the
most insecure (and fun) machines on the internet.  If you're an admin reading
this, the solution is pretty simple - just firewall your machine and use the
management software to protect it. If you're the majority of the other people
reading this, go to town! I don't believe Jetdirect software has any logging
capabilities by default, so you have pretty much free reign on any machine
compromised, and as I've shown you can do alot of stuff without 'compromising'
the machine, per se. ;)

Shouts to Kealozim for finding these things, all the phreaks and geeks in NPA330,
and all of my other friends. 
